Re: ssl parameters ignored

Sander Klein Tue, 24 Nov 2015 11:52:18 -0800

Hi Nenad,

On 2015-11-24 16:15, Nenad Merdanovic wrote:

Can you post a minimal configuration (or full) which reproduces this?


Yes, here it is:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        #ca-base /etc/ssl/certs
        #crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

ssl-default-bind-ciphersECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11

ssl-default-server-ciphersECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

        ssl-server-verify none
        tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend web
        bind x.x.x.x:80
        bind x.x.x.x:443 ssl crt /etc/haproxy/SSL/ strict-sni
        bind x:x:x::x:80
        bind x:x:x::x:443 ssl crt /etc/haproxy/SSL/

        mode http
        maxconn 4096

        option httplog
        option splice-auto

        capture request header Host             len 64
        capture request header User-Agent       len 16
        capture request header Content-Length   len 10
        capture request header Referer          len 256
        capture response header Content-Length  len 10

        use_backend nginx

backend nginx
        fullconn 128
        mode http

        option abortonclose
        option http-keep-alive

        server nginx 127.0.0.1:443 ssl cookie nginx send-proxy

Re: ssl parameters ignored

Reply via email to